This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.





The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

GDPR preparations must look for weak links in operations

This opinion piece is almost 6 years old
 

Nimarta Cheema of Lindsays says weak links must be sought out with the approach of GDPR

Charities and social enterprises whose preparations for the new data protection rules centre on marketing and fund-raising could leave themselves exposed to breaches in other areas.

With much of the advice around the General Data Protection Regulation (GDPR) focusing on ensuring that marketingand HR practices are compliant with the new rules, we’re seeing charities and social enterprises make good progress on this.

Many organisations are auditing the data they hold on employees, volunteers and service users and are taking steps towards compliance.

It’s not just marketing and HR

But third sector organisations are still at risk of failing to comply with the new rules in respect of other data they hold – such as personal data relating to customers, clients, contractors, and other business contacts.

This data will also need to be audited and acted upon before the GDPR takes effect on 25 May.

The difficulty with this other data – which lies outside the realm of HR and marketing – is that it’s likely to be spread across different departments or teams.

Yet every organisation, however large or small, needs to review what information it holds on suppliers, contractors, customers and other contacts.

Nimarta Cheema

25 May is not just the starting-point for the new rules, it should also be viewed as an end-point

Nimarta Cheema

Organisations need to consider where that data came from; how it is used; and how and where it is stored.

Charities and social enterprises will also need to review their “lawful basis” under the GDPR for holding and processing personal data and this should be made clear to the relevant individuals up-front.

For most charities and social enterprises, this will mean reviewing – and probably tweaking – contracts (especially any data sharing or data processing contracts), terms of business, and privacy notices.

Going beyond a data audit

The other issue many charities and social enterprises face is not having sufficient administrative processes in place to be able to deal with their increased obligations under the GDPR – for example, dealing with requests to view, update, move or delete data; and monitoring for breaches.

Again, since HR and marketing teams have been the focus of many organisations’ GDPR preparations to date, most are making good progress on developing pro forma responses to requests from individuals, and designing new processes for monitoring compliance with the new requirements for obtaining consent.

But compliance must be organisation-wide, reaching teams that may hold personal data in other contexts. Since these teams are less likely to systemise the way they process and hold personal data, they may not yet have audited their data or reviewed their administrative processes.

Updating your action plan

There’s much written about the GDPR, especially information about reviewing your marketing and HR procedures to prepare for the new rules. But there are three points you should keep in mind to ensure there are no weak links in your plans.

Firstly, third sector organisations must be careful not to focus solely on data relating to donors, employees and volunteers and overlook personal data in other contexts, such as data relating to customers, clients, contractors, and other business contacts.

Secondly, much of the information around is excellent, but when looking at contracts, terms of business and privacy notices and ensuring these comply with the new rules, you’ll probably need to take advice tailored to your own arrangements.

Thirdly, 25 May is not just the starting-point for the new rules, it should also be viewed as an end-point – it’s the date for charities to have all their preparations completed which means kicking off their new compliance arrangements as soon as possible.

Any charity that hasn't already conducted a full audit of personal data it holds and processes and considered the administrative processes it has in place should do so now without delay.

Nimarta Cheema is a solicitor in the corporate and technology team at Lindsays.